[pmwiki-users] ZAP security vulnerability...
The Editor
editor at fast.st
Tue May 1 17:26:37 CDT 2007
Pm has been kind enough to study the ZAP code and found a serious
security vulnerability. We are still looking for a solution.
Basically the problem is in PmWiki's ability to impose page content
from an editable page onto a page that is not editable and load that
page as if it were in the source code. You could argue this is a
PmWiki vulnerability, (which allow users to insert a ZAPform onto a
page they cannot edit) but regardless it will need to be fixed.
Unfortunately there is no immediate good solution (I've explored
several). ZAP users should therefore use extreme caution about
enabling ANY pages on a ZAP enabled site for editing--even if ZAP is
only enabled on one page. ZAP should still be safe on sites were
editing is not enabled anywhere except by untrusted users.
My apologies to the community for this problem, and my commendations
to Pm for finding it. I will be posting some stopgap fixes as soon as
possible--but I'll be leaving out of town for a week and may have
limited internet access while away. Hopefully I can find some time to
work on this...
Cheers,
Dan
More information about the pmwiki-users
mailing list